Overview

Description

WebEOC is a web-based crisis information management application that provides functions to gather, coordinate, and disseminate information between emergency personnel and Emergency Operations Centers (EOC). WebEOC does not properly filter user input, allowing a remote attacker to supply SQL commands that may be executed by the underlying database.

Impact

A remote attacker may be able to execute SQL queries on a server, possibly with elevated privileges. As a result, attackers may be able to view or modify the contents of a WebEOC database, including authentication and sensitive medical information.

Solution

Upgrade

Version 6.0.2 corrects this vulnerability. According to ESi:

Specific validation checks have been added to all input fields that appeared to be susceptible to SQL injection or cross-site scripting attacks to protect input fields against SQL injection or XSS attempts. In addition, all function parameters are validated in the application business logic. The validation process replaces ' with '' for String parameters, and for numeric parameters it verifies that the parameter is numeric. Such checks are a good first line of defense against SQL injection attacks.